Pass on LastPass; KeepassXC or Bitwarden is better.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

imagine a product that gets worse over time and costs more over time you that's not very good is it that seems to be the pattern with computer software you know everybody is constantly rewriting the same piece of software that's existed for the better part of half a century and it always is a little bit crappier and it always costs a little bit more the latest thing to fall victim to that is lastpass last pass to be sure is a little bit service and a little bit software uh combine the two together and lastpass historically has been a really good tool for doing basic password hygiene and this is actually something everybody should be concerned about password hygiene uh in the sort of the modern secure world nobody should be using the same password for every website probably you should be using a randomly generated password but then the problem becomes how do you manage that well there's software for that sometimes you can also use tokens we got a ub key here we've done videos in the past on yubikey and it's like basically a hardware security token it's like a car key but you plug it in and instead of bumps on a piece of metal it's uh bumps in an equation a mathematical equation solutions for mathematical equation and believe it or not these kinds of tokens are really secure let's dive in all right so first up let's talk about lastpass it's more than just a password manager it's also a synchronization service so you can have your phone and your laptop and your other laptop and your work laptop and your home computer and your other home computer you have your whole family you know they've really figured out a lot of value ads for the product the problem is that while this was really innovative and awesome a couple of years ago it's really pretty bog standard now it's kind of a race to the bottom this is just basic infrastructure it's basic plumbing it's in the news they're changing their free account are you going to have to subscribe no doubt a lot of people are going to subscribe but i don't think that it's really the best idea there are free alternatives that are as good or better than last pass i think that the version that they want you to pay for is not worth it this is the thing that's really so upsetting to me about this is that it's not that they're charging money for this it's that you know it's like this is some premium service it's like no this is a service that should be on the order of like five or ten bucks a year uh and maybe not even that because it's just not that complicated the technology required to do this isn't a big deal it's like i don't know running water inside your house getting more expensive or electricity getting more expensive doesn't make sense the reason i find this so upsetting is because this kind of stuff should be just a basic part of digital hygiene the cost should be basically going to zero over time and yeah it might be ten bucks a year now but next year it might be nine dollars in another five or ten years it might be on the order of like a dollar a year that's what should be trending here there's this idea in silicon valley to take things and make them scarce and then charge a lot of money for them and it's a pretty common business model if you sort of understand that you'll know you'll notice that in a lot of other places even like here in america like our internet bandwidth it's like let's take something that's kind of plentiful make it scarce and then charge a lot more for it let's take you know water make it scarce and charge a lot more for it oh we've messed up the municipal water supply now it's undrinkable hahaha let's charge you know this is a pretty common capitalistic business model anymore and it's downright scary we literally have the tools to build something that's not oppressive and and leads to misery and suffering of human beings like let's not build software that locks people in a box and forces them to pay money it squeezes them to pay money because you know it's just it's just a race to see whoever can inflict the most misery on individuals so that they'll pay money to stop it and that's just not a direction i want to go in and i get what they're trying to do they're trying to build a profitable product they need to you know squeeze a little bit more out of it they've captured some market maybe they want to increase margins by getting rid of some of the free loaders so they've made changes to their free product that make it a little less actually useful and this isn't the first time they've made changes to their product to make it more annoying for users so i want to draw your attention to some other password managers and really some of the fundamentals about the mechanicals of how this works first off the synchronization service that's really the special sauce i mean that's something out on the internet and you should pay to defend that right i mean you don't want to just have some random person spooling up you know some service somewhere and all of your passwords go there how can that possibly be secure i mean isn't that basically what lastpass does i mean you should pay money to keep that secure that's a little bit boogeyman that's not really true in an ideal world your password file is itself encrypted with a password that the synchronization service doesn't have so when you enroll your devices in the synchronization service authentication is required with a password or an account or something like that but it's really just an exchange of information that is already encrypted it's encrypted before it hits the wire it's encrypted before it leaves your device there are certainly many versions of this another version of this uh is public key cryptography where uh you see this used a lot with like secure shell connections and and other types of connections that um are a little different from the type of connections that you're used to with your email or something like that basically you generate a public key and a private key and those are you know large prime numbers and somebody that you're communicating with you can take their public key and your private key and do some encryption and send that down the wire and the only thing that will produce an intelligible result of the remote end is the corresponding private key because there's a mathematical relationship between the public and the private key that a user has and so this is public key cryptography and this is you know sort of one of the fundamental foundations of the internet well yes lastpass is implemented to provide some of these things at a fundamental level which is awesome it's it's it's basically had cryptographic experts look at it it's not just some you know prodigal college student somewhere doing this without really understanding the deeper security implications which is critically important in something like this but the reality is that if you think about like the synchronization service and keeping your stuff secure that's sort of been there done that there's things like google drive and onedrive dropbox all of those other services provide basically the same functionality except for files and yeah the files are not encrypted before they leave your machine well i mean they could be you could create a password-protected zip file for example and store that on dropbox and dropbox is not going to be able to look inside that zip file without that password and it's non-trivial to recover that password or crack that password so those services will provide file synchronization across different machines but they don't necessarily provide the cryptographic part of it in exactly the same way well let me introduce you to keepassxc so keepass is a piece of software that's open source and keepassxc is a particular version of keepass that is open source which is a different group open source can be sometimes confusing so this is a community plumbing problem like i said and some open source people sort of recognize this and some open source people recognize that there are commercial companies that are trying to peddle their service and they're maybe getting a little bit too much indistinguishable from something that is grifting you unnecessarily because like i say these services should be getting cheaper and easier not more expensive with less features which is the situation that we find ourselves in so keepass provides an encrypted data store it'll also optionally use something like a ubi key to make its aes 256 key for the encryption and aes 256 is a really really awesome algorithm the thing to understand with keepass is that it actually supports a lot of synchronization options but i think the easiest one is to just have a file so the same way that you would move a file between multiple machines with something like dropbox or onedrive or google drive or next cloud or whatever service that you want to use for file synchronization it works just fine exactly the same way for your password file and remember your password file is encrypted so it's just like that encrypted zip file but it's aes 256 encrypted so they might be able to get their hands on the file but they can't get their hands on your password and if you use something like a security token you're really not going to get into that because aes 256. i don't want to get super technical but aes256 if it's implemented correctly would take more energy than you'd get out of a supernova to run through just a quarter of the key space a little over a quarter of the key space of aes 256 assuming that the smallest measurable amount of energy that there can be according to the conventional laws of physics is all that it takes to search one key in the algorithm so assuming the most efficient machine possible running at the cosmic background temperature and we were able to harness 100 percent of the energy of a supernova we're not going to get through an aes 256 key space keepass xc uses aes256 to encrypt its file so the really awesome thing is if you use keepassxc you can just rely on a file synchronization service like dropbox if you are an xcloud like if you diy this and you host your own stuff you can use an xcloud and the synchronization works it's pretty awesome it has reasonably okay browser integration it has ub key support so if you're really technical and you want to roll a yubikey you can you can do that a how-to for that is going to have to be left to the level on forum because i want to get super long-winded in this video but you can do basically everything that you want to do with keepassxc so you should give that a try as an alternative to lastpass now if you're a little less technical and some of those words didn't sound like a lot of fun because it is a lot of fun trust me uh i would also point you at bit warden now bib warden is a commercial product and they're kind of in the middle um with this so they'll pay for things like twitter advertisements to advertise their product so they're making money they offer a synchronization service but the software itself is free if you don't want to use the synchronization service you don't have to but it's a little bit more cumbersome and problematic to uh roll your own synchronization is nowhere near as easy as keepassxc but it has some features that keepassxc doesn't have like a really awesome browser integration for example although the keepassxc browser integration is not not terrible mobile device integration things like that now with bit warden what you get for 10 bucks a year is a gigabyte storage your your password file's not going to be a gigabyte that's crazy and uh one-time passwords a one-time password service which is more useful than it sounds ten bucks a year is about what the cost should be on something like this or about a dollar a month anything more than that you're being grifted and let's face it bill warden's actually making pretty good money at 10 bucks a year so so check out bit warden and try their synchronization service because they do offer some stuff on the free tier now if you want to create your own bit warden synchronization server you totally can but not from the actual bit warden people if you follow their uh instructions in my opinion they're deliberately obtuse there's a third party that's created a docker container that will allow you to spin up your own uh synchronization server and like everything else it seems to be encrypted in the wire i don't know that 100 trust this docker container because like i say it's from a third party but it is open source and it's on github and so you can do that but you do have an option to roll your own synchronization service spin it up in docker you can do it in lenode you know your own lenode hosting like the the lowest tierland node that you can possibly get or you know just the most modest hosting that you could possibly imagine you can run that and then you have your password synchronization service and this is really awesome because then you'll be able to generate a unique password for every website that you use have it autofill and also have that file synchronized across all of your devices you can also store a lot of other things in there other than passwords things like instructions on how to access a system or anything like that you still want to protect that file even though that file is on your you know your dropbox you don't necessarily want to have that file on the public internet yes it is encrypted but it's only as protected as the master password so you have one password for this encrypted file and then it has access to all of your other passwords so uh it is good that the password is not transmitted over the wire in a file synchronization scenario with like keepassxc but that means that that master password has to be that much more awesome and not used on any of the websites in case they were to leak it and if you use your your yubi key for your master password that's pretty awesome yeah i know that's a lot of steps i know that's a headache but this is sort of the modern world that we find ourselves in with password management you absolutely do need to be using some kind of a password manager i think that keepassxc for the technical user or bit warden for the less technical user are the best choices that there are right now much better than lastpass especially after the last changes and they're definitely something you should check out so just a quickie i'm wendell this is level one i'm signing out see you later

Info

Channel: Level1Techs

Views: 103,678

Rating: undefined out of 5

Keywords: technology, science, design, ux, computers, hardware, software, programming, level1, l1, level one

Id: cwH6D4ULa6U

Channel Id: undefined

Length: 13min 42sec (822 seconds)

Published: Sun Feb 21 2021